W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Origin enables XSS to escalate to XSRF (was: security issue with XMLHttpRequest API compatibility)

From: Adam Barth <w3c@adambarth.com>
Date: Thu, 11 Jun 2009 10:24:03 -0700
Message-ID: <7789133a0906111024w51c14316sb7b7d2b6c54450d2@mail.gmail.com>
To: Jonathan Rees <jar@creativecommons.org>
Cc: "Mark S. Miller" <erights@google.com>, public-webapps <public-webapps@w3.org>
On Thu, Jun 11, 2009 at 4:35 AM, Jonathan Rees<jar@creativecommons.org> wrote:
> I think this may be a foolish question, but is the value of Origin:
> limited to sites? Couldn't it be an individual web page (URI)? Or a
> wildcard? Is there some principled reason for such a limitation (if it
> exists)?

If we changed the value of the Origin header to be an URI instead of
an origin, then it would be very similar to the Referer header.
Limiting the Origin header to an origin improves the privacy of the
Referer header.  Also, the additional information (path, query, etc)
is not useful for making security decisions because the URIs can just
script each other on the client anyway.

Adam
Received on Thursday, 11 June 2009 17:25:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT